diff --git a/policy/dns/base.bro b/policy/dns/base.bro index 91031cbd69..75162075be 100644 --- a/policy/dns/base.bro +++ b/policy/dns/base.bro @@ -15,6 +15,7 @@ export { qtype_name: string &log &optional; qclass: count &log &optional; rcode: count &log &optional; + rcode_name: string &log &optional; QR: bool &log &default=F; Z: bool &log &default=F; AA: bool &log &default=F; @@ -93,6 +94,7 @@ function set_session(c: connection, msg: dns_msg, is_query: bool) c$dns_state$last_active=network_time(); c$dns$rcode = msg$rcode; + c$dns$rcode_name = base_errors[msg$rcode]; if ( ! is_query ) { diff --git a/policy/dns/consts.bro b/policy/dns/consts.bro index 442c402aea..f38b6f2d42 100644 --- a/policy/dns/consts.bro +++ b/policy/dns/consts.bro @@ -65,7 +65,7 @@ export { [22] = "BADTRUNC", ##< draft-ietf-dnsext-tsig-sha-05.txt [3842] = "BADSIG", ##< 16 <= number collision with EDNS(16); ##< this is a translation from TSIG(16) - } &default="?"; + } &default = function(n: count): string { return fmt("rcode-%d", n); }; # This deciphers EDNS Z field values. const edns_zfield = { diff --git a/policy/dns/passive-replication.bro b/policy/dns/passive-replication.bro index 790e417a4b..0124f531e2 100644 --- a/policy/dns/passive-replication.bro +++ b/policy/dns/passive-replication.bro @@ -14,8 +14,8 @@ export { event bro_init() { Log::add_filter(DNS, [ - $name="passive-replication", - $path="passive-replication", + $name="dns-passive-replication", + $path="dns-passive-replication", $pred=function(rec: DNS::Info): bool { if ( rec?$query && rec$query !in recent_requests ) diff --git a/policy/notice-action-filters.bro b/policy/notice-action-filters.bro index 7fab6b7ff4..4ef9506f0d 100644 --- a/policy/notice-action-filters.bro +++ b/policy/notice-action-filters.bro @@ -1,5 +1,6 @@ ## A few predefined notice_action_filters (see notice.bro). @load notice +@load functions module Notice;